Re: Keeping Passwords Secure
Date: Mon, 19 Sep 1994 13:53:13 GMT
Message-ID: <jshowers-1909940953230001_at_mac25.cmi.on.ca>
In article <1994Sep14.193534.1_at_corp02.d51.lilly.com>,
jl34778_at_corp02.d51.lilly.com wrote:
> I beg to differ. Under Solaris 2.3, if you issue the command sqlplus
$UID/$PWD,
> the UID and PWD variables will be expanded, and you see the values when you do
> a ps -ef.
>
Jess. And an ps -efl will show long command lines (those with many padded spaces).
> Have you thought about using OPS$ accounts? This would require that you have a
> separate unix ID for each user. I would assume that you have this, otherwise
> the students would be able to see each other's text files.
And then you have security issues. Let's say you want a user to re-build some indexes or some other high security item. In which case you want to run secure items as 'owner' or some other role.
We've implemented a solution that seems foil ps.. and other issues
Problem 1 - PS is showing passwords, vis a vis command line
first in general you can use (or some shell variation)
echo 'password' | sqlplus 'username' _at_some_sill_script
What this does is hide the 'password' from ps (ok. it does appear it does appear for a micro-second, then disapears!)
Problem 2 - Passwords are still in some readable form
But this creates another problem. Namely the 'password' is now in some readable format (ie. shell script, alias --> history, etc.) And shell scripts must be readable (+r) in order for a user to execute.
Solution. Put the "echo 'password' | sqlplus .... " into a perl script. Perl scripts can be (through a little coding, and recompiling) encoded. Perl will detect a coded script, and decode on the fly. Now just keep your perl source under lock and key, and everythings cool.
Jodi. Received on Mon Sep 19 1994 - 15:53:13 CEST